The team at ID Experts recently released "10 Things to Consider before Buying Cyber Insurance." We developed the list based on our experiences working with breached clients and the information they have shared with us relative to insurance coverage. In a previous post I made note of finding a broker with a very thorough understanding of the policies available, and the potential risks their insured may experiences to best tailor the policy.
Another suggestion we provide on the checklist is utilizing the value added services, if available, which may be offered by your insurance carrier or agency. These services are generally aimed at improving the level of compliance to privacy and security regulations, ultimately reducing the risks of the insured. When a breach strikes it is often the event that exposes not only the weakness in how the information was compromised but potentially all other gaps in privacy and security compliance. Working to improve your privacy and security compliance proactively by incorporating smaller consistent changes is significantly less painful than being required to do this by a regulator post breach.
What I am referring to is a corrective action plan that is many times the result of a state or federal investigation once a breach has occurred. This can be a large, unbudgeted expense since it is usually an over correction which may require new FTEs, systems, and continuous reporting to the agency requesting it. These post breach costs are rarely covered in a cyber-liability policy. So, your organizations lack of compliance can get very expensive post breach, even with insurance coverage, if your organization is not in compliance. The value added services offered by many can help improve your compliance posture and minimize the level of correction action plan post breach. If they are offered, consider taking full advantage.
If you have any questions or comments on this checklist, or more generally on cyber insurance selection and how it plays into your overall data breach risk mitigation strategies, feel free to contact me at +1-760-304-4761 or Jeremy.firstname.lastname@example.org.